LONDON: Young people should be better educated on cybersecurity and the dangers of ransomware before they enter the workplace, an industry expert has said.

Matt Cooke, cybersecurity strategist at digital security firm Proofpoint, said that, while businesses and the public are more aware than ever of the dangers of cyber attacks, more can be done to prepare people to deal with a cyber threat, because attacks such as ransomware often start with the targeting of individuals.

“I think we’re doing better at it, everyone is doing better at it. We see a lot of organisations with good security awareness programmes, and we see a lot of organisations actually doing phishing simulations and things like that,” he told the PA news agency.

“But I think we need to do better at doing it earlier, so that when people are coming into the workforce they understand the threats that they’re going to face, in the same way we talk to teenagers about risks they might face on the street. We need to get to that level of understanding for people as they’re coming into the workforce.

“Also, I think organisations out there can do a much better job of defining what normal communications look like for their employees – for example, ‘Is it normal for somebody to be sending me a Teams message at four o’clock in the morning?’. That’s a fairly easy one to spot, but maybe there are other scenarios where these types of interactions can lead people down the wrong path.

“If a company does a good job of educating their staff on what’s normal, then it will help them spot what is abnormal.”

The cybersecurity expert said it is positive to see the Government and the intelligence services talking more publicly about the threats around cybersecurity, and that he welcomed proposals from ministers earlier this year which could see public sector firms and national infrastructure bodies banned from making ransomware payments.

“We’re still talking about it, and we’ve been talking about it for a long time, and that on the one hand is frustrating because it says we still have the same problems that we’ve always had around people getting caught by phishing or ransomware and still run into those challenges,” he told PA.

“But on the other hand, it’s positive that we continue to talk about it. It’s positive that we keep it at the forefront of people’s minds, because it is generally people that get targeted, and so if we’re not educating people, we’re missing our best opportunity to build a defence against some of the challenges.

“Ultimately, what we’ve got is cyber crime which is fuelled by money, and, whilst the money is readily available, cyber crime will continue in the same way as every other crime on the street. If there is a source of income there for gangs, criminals, organisations it will carry on rolling.

“It’s fantastic that it is getting more attention from Government, and it’s about time, and I think everyone in the cybersecurity industry is happy about that.

“Unfortunately, the reason it still exists is because people pay. If we didn’t pay, the attackers would have to evolve and come up with a different business model. But, as it stands right now, because organisations are prepared to pay, they’re ultimately fuelling the economy that sits behind ransomware, which is generally criminal enterprise. So if we can find a way that we’re not reinforcing that business model then that’s a positive and it will make the problem less.

“The big challenge that a lot of organisations face is the fact that the way ransomware generally starts is with a person in the organisation being targeted.

“It (ransomware) is easy to scale – it wouldn’t be hard for you to find out my email address if you didn’t know it, and then that means you could target me. So it’s a huge challenge. We have to one, make it harder, and two, we need to make the money dry up.”

The latest Cyber Security Breaches Survey, published by the Government earlier this month, showed that four in 10 businesses were affected by a cyber attack or breach in the last year – a slight drop on the previous year.

Cooke said he believes businesses are doing “pretty well” in general when it comes to improving cybersecurity, but highlighted the issues smaller firms have with affording robust cybersecurity measures.

He also called on more firms to focus on how artificial intelligence (AI) can be used to boost internal cybersecurity, and not just see it as a threat, or simply as a way to make their business run more efficiently from an administrative perspective.

He said focus has “shifted away from security awareness into those technologies”, and added not enough is being made of AI’s ability to spot possible weaknesses in company defences.

“You can use technology like AI to understand someone’s risk profile – to understand that maybe they are more likely to click on a link than someone else because they’ve failed a few phishing simulations, or maybe they represent more risk because they’ve got access to money in the company’s bank account, or access to data,” he said.

“So, using those tools to help understand what risk looks like is, I think, perhaps one of the most important things a company can do, because it feeds security awareness.” – dpa/Tribune News Service